Next Page >>
Media Coverage
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01612418
Version: 1
HPSBMA02391 SSRT071481 rev.1 - HP OpenView Reporter and HP Reporter Running on Windows, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-12-08
Last Updated: 2008-12-08
2009-07-15: vendor provides initial feedback, classifies the security
impact as low
2009-08-09: oCERT asks for feedback about the timescale for eventual fixes
2009-08-24: vendor replies that most issues will not be fixed as they are
present in deprecated extensions or are not understood
2009-08-25: reporter offers to clarify all the issues and provides test
cases
2009-08-26: after reporter feedback vendor commits more fixes
2009-10-05: reporter asks clarification about fixed/pending bugs
2009-10-27: after further reporter feedback vendor commits more fixes
2009-11-30: advisory published
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01109617
Version: 2
HPSBMA02238 SSRT061260 rev.2 - HP OpenView Reporter Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-10-30
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01109617
Version: 1
HPSBMA02238 SSRT061260 rev.1 - HP OpenView Reporter Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-08-07
2009-02-13: vulnerability report and patch received
2009-02-16: contacted littlecms maintainer
2009-02-16: oCERT investigated for other potential affected projects
2009-02-20: maintainer provides updated patch
2009-02-20: reporter provides new patch fixing memory leak
2009-02-21: maintainer provides fixed beta version
2009-02-23: reporter confirms fixes
2009-02-24: contacted affected vendors providing combined security patch
and beta version, recommending the latter
2009-03-02: patch found to break functionality, contacted affected vendors
Timeline:
2008-08-12: vulnerability report received
2008-08-24: contacted mplayer maintainers
2008-08-25: maintainer provides patch
2008-08-28: reporter indicates that the patch is incomplete and sends new PoC
2008-09-15: maintainer provides updated patch
2008-09-16: reporter confirms patch
2008-09-29: advisory release
References:
* Users without the "canconfirm" privilege could enter a bug as NEW
or ASSIGNED by using the XML-RPC interface.
* When viewing several bugs at once, there was a Cross-Site Scripting hole.
* The inbound email interface allowed you to set the Reporter via the
text of the email, instead of just using the From header.
All affected installations are encouraged to upgrade as soon as possible.
Vulnerability Details
construction.
Both software packages have released fixed versions which limit the allowed
object count to a domain specific value.
A detailed analysis by the reporter can be found in the References.
Affected version:
Poppler < 0.12.1
2009-03-12: vulnerability report received
2009-03-12: contacted AjaxTerm maintainer
2009-04-18: oCERT contacts various vendors security team seeking for
developers familiar with AjaxTerm
2009-04-28: due to lack of feedback oCERT asks reporter to disclose the
issue
2009-04-29: reporter agrees to disclosure
2009-05-11: advisory release
References:
Timeline:
2009-05-21: vulnerability reported received
2009-05-21: contacted camlimages maintainers
2009-06-30: due to lack of feedback oCERT asks reporter to disclose the issue
2009-07-01: reporter agrees to disclosure
2009-07-02: assigned CVE
2009-07-02: advisory release
Permalink:
2009-05-22: vulnerability report received
2009-05-22: contacted libtiff maintainer
2009-06-30: report resent to maintainer due to lack of response
2009-07-01: maintainer provides patch
2009-07-04: reporter confirm fixes
2009-07-04: oCERT requests one week embargo for vendor notification
2009-07-04: maintainer confirms embargo
2009-07-07: contacted affected vendors
2009-07-07: assigned CVE
2009-07-07: improved patch contributed by Tom Lane of Red Hat
CVE: CVE-2009-2999 (malformed SMS DoS)
Timeline:
Malformed SMS DoS:
2009-06-19: reporters send report to Android Security team
2009-07-16: Android Security team releases patch to Android users
2009-07-30: Android Security team publicly release patch to open source
Android
2009-08-27: Android Security Team, on behalf of Collin Mulliner, requests
assistance from oCERT
-- Affected Products:
HP OpenView Internet Service
HP OpenView Performance Manager
HP OpenView Performance Agent
HP OpenView Reporter
HP OpenView Operations
HP OpenView Operations Manager for Windows
HP OpenView Service Quality Manager
HP OpenView Network Node Manager
HP OpenView Business Process Insight and Related Products
On 24.10.2009 20:59, Anton Ivanov wrote:
>> Not to tell about
>> that /proc/<PID>/fd/ contains only symbolic links, not files, so I can't
>> understand, how the original reporter managed to gain access to the file in the
>> restricted directory using that symlink.
>
> The perms are definitely broken and without a code audit on procfs I
> would not bet that this is limited just to this rather obscure test
> case.
>
On Sat, 2009-10-24 at 21:39 +0400, Dan Yefimov wrote:
> On 24.10.2009 20:59, Anton Ivanov wrote:
> >> Not to tell about
> >> that /proc/<PID>/fd/ contains only symbolic links, not files, so I can't
> >> understand, how the original reporter managed to gain access to the file in the
> >> restricted directory using that symlink.
> >
> > The perms are definitely broken and without a code audit on procfs I
> > would not bet that this is limited just to this rather obscure test
> > case.
Major Julian Charvat (GBR), COE DAT, Ankara, Turkey
Terrorism and Cyberspace: the use of the Internet by terrorist
organizations and the possibilities of terrorist cyber attacks
Cyrus Farivar, Freelance Technology Journalist
“Web War One”? Really? Media Coverage of Cyberattacks
Andrea Glorioso, European Commission - DG Information Society and Media
New European Policy on Critical Information Infrastructure Protection
Dr. Stuart H. Starr, Senior Research Fellow, Center for Technology and
>>> U.S.). Denial-of-service against arbitrary phone numbers through
>>> mass-calling. User cannot prevent attack.
>>>
>>> -----------------------------
>>>
>>> Reporter: Collin Mulliner <collin[AT]mulliner.org>
>>>
>>> -----------------------------
>>>
>>> Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
>>>
The problem raised in the original mail is to some extent artificial, as the
only users able to access /proc/<PID>/fd/ are the user with the same UID, as the
process EUID, and root, and if the process is either setuid or setgid,
/proc/<PID>/fd of that process is accessible only by root. Not to tell about
that /proc/<PID>/fd/ contains only symbolic links, not files, so I can't
understand, how the original reporter managed to gain access to the file in the
restricted directory using that symlink.
--
Sincerely Your, Dan.
http://www.winamp.com/plugins/details.php?id=187 has this problem. (That bug
was reported years ago already though.)
Irssi
=====
I now put off my reporter hat, and put on my Irssi developer hat :)
This has been fixed in all scripts on the irssi site, and irssi 0.8.11
prevents scripts for making this bug.
I'm not aware of other clients or scripts having released a fixed version.
===================================
:Title: XML Injection in PyBlosxom
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: PyBlosxom v1.4.3
:Fixed in: --
Description
2008-08-05: initial report and proof of concepts received.
2008-08-18: affected software survey completed by oCERT.
2008-08-18: externalinput.php/Popoon author contacted.
2008-08-19: Horde author contacted.
2008-08-19: initial patches for Horde and Popoon supplied by vendors.
2008-08-19: reporter calls out additional possible vectors in externalinput.php.
2008-08-20: secondary fixed for externalinput.php supplied.
2008-08-20: attempted to contact CakePHP.
2008-09-04: final Horde patches supplied.
2008-09-04: potentially affected oCERT members and vendor-sec notified.
2008-08-05: CVEs assigned.
Timeline:
2009-05-03: vulnerability reported received
2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
2009-06-29: assigned CVE
2009-07-03: preliminary advisory release with mitigation instructions due to
--------
- Upgrade to Openads 2.4.3
Credits
-------
- Reporter: Tanatik
Contact informations
====================
> U.S.). Denial-of-service against arbitrary phone numbers through
> mass-calling. User cannot prevent attack.
>
>-----------------------------
>
>Reporter: Collin Mulliner <collin[AT]mulliner.org>
>
>-----------------------------
>
>Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
>
Crash of the parser for parts of a NDEF record, reboots
graphical user interface (GUI) of phone.
-----------------------------
Reporter: Collin Mulliner <collin[AT]mulliner.org>
-----------------------------
Affiliation: MUlliNER.ORG / the trifinite group
2009-05-21: vulnerability reported received
2009-06-18: contacted dillo maintainer
2009-06-18: maintainer requests PoC
2009-06-19: PoC is supplied
2009-06-19: maintainer provides patch
2009-06-24: revised patch is provided after reporter feedback
2009-06-25: patch is confirmed, maintainer requests one week of time to
investigate further areas of the browser
2009-07-01: dillo developer proposes security release coordination
2009-07-03: advisory release
===================================
:Title: Format string vulnerability in 5th street (Hot Step, High Street 5)
:Severity: Critical
:Reporter: Blue Moon Consulting, superkhung
:Products: 5th street and derived clients
:Fixed in: --
Description
===================================
:Title: Multiple vulnerabilities in OpenSite v2.1
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: OpenSite v2.1
:Fixed in: to be fixed in 3.0
Description
. 2010-03-15:
MSRC confirms that Hyper-V is not affected. Asks for a copy of the
advisory to be published on the 16th.
. 2010-03-15:
MSRC notes that it was contacted by a reporter inquiring about the issue.
. 2010-03-15:
Core acknowledges receipt of previous email, says that the advisory is
still in editing process and indicates that a press release will be
published as well. Speculates that the press inquire may have been the
> The problem raised in the original mail is to some extent artificial, as the
> only users able to access /proc/<PID>/fd/ are the user with the same UID, as the
> process EUID, and root, and if the process is either setuid or setgid,
> /proc/<PID>/fd of that process is accessible only by root. Not to tell about
> that /proc/<PID>/fd/ contains only symbolic links, not files, so I can't
> understand, how the original reporter managed to gain access to the file in the
> restricted directory using that symlink.
The perms are definitely broken and without a code audit on procfs I
would not bet that this is limited just to this rather obscure test
case.
Next Page>>
|
